8. Building Effective Security into Acquisitions

Assured Visibility, Control, Compliance for Effective Security

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »

Voting

0 votes
Public Input

2. Business Initiated Vulnerabilities

Create Gov Wide "Security Maven" Program for Gov IT Developers

Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams. IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers... more »

Voting

4 votes
Public Input

8. Building Effective Security into Acquisitions

Supported ITAPS recommendations

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force) With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Supported ITAPS recommendations, part 4

Finance and Procurement: Organizational procurement programs should have clearly defined and communicated priorities, accompanied by clear direction to procurement agents on the procedures to acquire technology consistent with those priorities, resulting in a consistent, predictable, and agile acquisition approach that will result in more secure technology deployments. For example, the Director of the Office of Management... more »

Voting

2 votes
Public Input

8. Building Effective Security into Acquisitions

Enforce existing requirements

In 2011 the White House via OMB issued a Memo M-11-11 that stated "Effective the beginning of FY2012, existing physical and logical access control systems must be upgraded to use PIV credentials , in accordance with NIST guidelines, prior to the agency using development and technology refresh funds to complete other activities." https://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf. This memo, had... more »

Voting

5 votes
Public Input

8. Building Effective Security into Acquisitions

IT Hardware Country of Origin Limits

With the preponderance of IT devices and chipsets being manufactured in China, there is a distinct possibility that the PLA is hard-coding spyware and back-doors in the hardware built there. Acquisition laws need to specifically require that all components & sub-components used in sensitive IT / data communications systems be built / fabricated and assembled by U.S. companies in the US. Further, safeguards (inspections... more »

Voting

8 votes
Public Input

8. Building Effective Security into Acquisitions

Working with Insurance Industry for Standards

There is a rapid increase in cyber insurance across the commercial landscape. This is getting the C-level attention because the risk and costs are being codified into actual numbers, not just fear of something bad happening. The Federal Government should leverage off this trend and require all Government contractors to have a level of insurance, which will likewise drive a level of accountability and measurement. This... more »

Voting

7 votes
Public Input